Hi Phil,
You say you've already checked for offending cron jobs, so:
First, I would check to see if there are any UID 0 accounts other than root, (and get rid of them!)
Second, see if there is a file called /etc/shutdown.allow
if so, any user listed in there could be the culprit. Prevent anyone other than root from using the shutdown command like so:
# > /etc/shutdown.allow
# chmod 400 /etc/shutdown.allow
Third, is there a /.rhosts file on this system? If possible, get rid of it (at least temporarily until you find the cuplrit)
Also check the history files of all users, looking for shutdown and/or su
and check /var/adm/sulog and syslog to see who might be switching to root just before these shutdowns occur.
There is also a chance that someone has left a SUID script or program lying around, perhaps as a back door.
The following script comes courtesy of the Centre for Internet Security, and will find any SUID & SGID executables on the system:
for part in \
`awk '($3 ~ /^(hfs|vxfs)$/) { print $2 }' /etc/fstab`
do find "$part" \( -perm -04000 -o -perm -02000 \) \
-type f -xdev -print
done | grep -v "^/var/adm/sw/"
What does this button do?
